Gunther wrote:
Anyhow, I still have the problem that clients using ISPs with shared IP addresses (e.g. some satellite providers etc) have to use exactly the same shared secret for all routers (nas) despite they might be different customers.
In addition, we have clients with the nas installed on vessels and they roam between different satellite links and IP addresses. At times vessels from different companies are using the same IP address at the same time.
The only real solution is a secure transport protocol. Install FR on each system, and use RADIUS over TLS. That solves both the "re-use IP" and the "end system identity" problem.
Here comes the problem! ... While the request (id=42) is getting through, the reply is using a different shared secret, the one found in the first access-request (id=39) and the reply will therefore not be accepted by the nas and the NAS log shows: RADIUS server is not responding
Exactly. RADIUS requires a unique IP for every client.
My conclusion: I like to use the e.g. NAS-Identifier for a unique identification of a client/nas instead of the IP.
You can come up with horrible hacks, or you can use crypto.
Any hints using FreeRadius with the NAS-Identifier in this context are appreciated!
Edit the source code.
Or if FreeRadius cannot support this, are there other Radius server which could do this job?
I'm not sure that *any* RADIUS server supports this.
Is there by chance anywhere Freeradius developer documentation available or is the 'documented' source code the documentation?
All documentation ships with the server. Alan DeKok.